Tuesday, September 9, 2014

SECURE the Internet of Things (IoT)

I would like to present my idea how to protect the IoT. I’m aware that my design may contain some errors. It’s just my version.

The concept of ‘Internet of Things’, where many ‘things’ interact
between each other, requires new model of security. I would like to
propose my idea of using existing elements, which are reliable and
widely used in today’s networks.

KEY ELEMENTS

Zone - a virtual area where different hosts are located and
depends on the zone membership you can set up different types of secure
connections.

GET VPN Server/Key Server - responsible for maintaining security
policies, authenticating the GMs and providing the session key for
encrypting traffic. KS authenticates the individual GMs at the time of
registration. Only after successful registration the GMs can participate
in group SA.

GET VPN Client/Group Member - registers with the key server to get
the IPSec SA that is necessary to encrypt data traffic within the
group. The group member provides the group ID to the key server to get
the respective policy and keys for this group. These keys are refreshed
periodically by KS, and before the current IPSec SAs expire, so that
there is no loss of traffic.

Zone Manager – a device which manages hosts and security connection, it plays also role as a DHCP server and wireless router.

mini-IOS – special version of software for hosts with security features (GETVPN client).

ZONE DESCRIPTION

There are three types of zones with different functionality:

Zone “1” (figure 1) – this is the most trusted zone where hosts
trust each other and can communicate freely (using secure connection).

Zone “2” (figure 2)– this zone is half-trusted and defines the
relationship between hosts in the zone “1” and external, designated
partners. For one host in the zone “1” you can define multiple partners
from zone “2”.

Zone “3” (figure 3) – this zone covers the whole Internet and by
default any host from the zone “3” can communicate with hosts from zone
“1” and “2”. Once you define a new relation with host/partner from the
zone “3”, the host is promoted to the zone “2”.

The repository of software (mini-IOS) for hosts from zone “1” –
the upgrading process works like for Wireless Controllers and Access
Points. The software is automatically downloaded by a host when the IOS
versions of a host and a server are different.

Negotiate security parameters with partners (zone 2) to secure
connections with designated hosts (for example: a TV (zone1) has
connection with TV-Service (zone2); a fridge (zone1) has connection with
e-store you have chosen (zone2)).

ZONE “1” MEMBER’S REGISTRATION STEPS

Connect to the wireless network (controlled and managed by the
Zone Manager) – the DHCP server on the Zone Manager assigns IP for the
client.

From the Zone Manager console you approve members which can be in the Zone “1”.

From the Zone Manager you provide ‘identity number’ required by GET VPN.

From the Zone Manager you provide ISAKMP parameters required by GET VPN.

Approved clients start process of joining to the Zone “1” – the
Key Server automatically updates GET VPN configuration based on the IP
allocated by the DHCP: ACL for interesting traffic. The DHCP server’s IP
is taken to GET VPN client configuration (server IP).